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Windows event logging provides detailed information like source, username, computer, 
type of event, and level, and shows a log of application and system messages, including errors, 
information messages, and warnings. Microsoft has to keep increasing the efficiency and 
effectiveness of its auditing facilities over the years. Modern Windows systems can log vast 
amounts of information with minimal system impact. Configuring adequate logging on Windows 
systems, and ideally aggregating those logs into a SIEM or other log aggregator, is a critical step 
toward ensuring that your environment is able to support effective incident response using Incident 


response tools 


Event Log Format 


Modern Windows systems store logs in the %SystemRoot%\System32\winevt\logs directory by 
default in the binary XML Windows Event Logging format, designated by the .evtx extension. 
Logs can also be stored remotely using log subscriptions. Events can be logged in the Security, 
System and Application event logs or, on modern Windows systems; they may also appear in 
several other log files. The Setup event log records activities that occurred during the installation of 
Windows. The Forwarded Logs event log is the default location to record events received from 
other systems. But there are also many additional logs, listed under Applications and Services Logs 


in Event Viewer that record details related to specific types of activities. 


e Log Name: The name of the Event Log where the event is stored. Useful when processing 
numerous logs pulled from the same system. 

e Source: The service, Microsoft component or application that generated the event. 

e Event ID: A code assigned to each type of audited activity. 

e Level: The severity assigned to the event in question. 

e User: The user account involved in triggering the activity or the user context that the source 
was running as when it logged the event. Note that this field often indicates “System” or a 
user that is not the cause of the event being recorded. 

e OpCode: Assigned by the source generating the log. Its meaning is left to the source. 

e Logged: The local system date and time when the event was logged. 

e Task Category: Assigned by the source generating the log. Its meaning is left to the source. 

e Keywords: Assigned by the source and used to group or sort events. 

e Computer: The computer on which the event was logged. This is useful when examining 
logs collected from multiple systems, but should not be considered to be the device that 
caused an event (such as when a remote logon is initiated, the Computer field will still show 


the name of the system logging the event, not the source of the connection). 


e Description: A text block where additional information specific to the event being logged is 


recorded. This is often the most significant field for the analyst. 
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Account Management Events 


The following events will be recorded on the system where the account was created or modified, 


which will be the local system for a local account or a domain controller for a domain account. 


Event ID 
4720 
4722 
4723 
4724 
4725 
4726 
4727 
4728 


Description 

A user account was created. 

A user account was enabled. 

A user attempted to change an account’s password. 
An attempt was made to reset an account’s password. 
A user account was disabled. 

A user account was deleted. 

A security-enabled global group was created. 


A member was added to a security-enabled global group. 


4729 
4730 
4731 
4732 
4733 
4734 
4735 
4737 
4738 
4741 
4742 
4743 
4754 
4755 
4756 
4757 
4758 


4798 


4799 


A member was removed from a security-enabled global group. 
A security-enabled global group was deleted. 

A security-enabled local group was created. 

A member was added to a security-enabled local group. 

A member was removed from a security-enabled local group. 
A security-enabled local group was deleted. 

A security-enabled local group was changed. 

A security-enabled global group was changed. 

A user account was changed. 

A computer account was created. 

A computer account was changed. 

A computer account was deleted. 

A security-enabled universal group was created. 

A security-enabled universal group was changed. 

A member was added to a security-enabled universal group. 

A member was removed from a security-enabled universal group. 
A security-enabled universal group was deleted. 


A user’s local group membership was enumerated. Large numbers of these events 


may be indicative of adversary account enumeration. 


A security-enabled local group membership was enumerated. Large numbers of 


these events may be indicative of adversary group enumeration. 


Account Logon and Logon Events 


Account Logon is the Microsoft term for authentication. Logon is the term used to refer to an 


account gaining access to a resource. Both Account Logon and Logon events will be recorded in 


the Security event log. Authentication (account logon) of domain accounts is performed by a 


domain controller within a Windows network. Local accounts (those that exist within a local SAM 


file rather than as a part of Active Directory) are authenticated by the local system where they exist. 


Account logon events will be logged by the system that performs the authentication. Auditing of 


Account Logon and Logon events is easily set by Group Policy. While Microsoft continues to 


enable more logging by default as new versions of Windows are released, administrators should 


review their audit policies on a regular basis to ensure that all systems are generating adequate logs. 


The ability to store event logs on remote systems (either using the native Microsoft remote logging 


features or third-party SIEM tools or other tools) helps safeguard logs from alteration or 


destruction. 


Event IDs of particular interest on domain controllers, which authenticate domain users, include: 


Event ID 


4768 


Decimal 


6 


12 


18 
23 
24 
32 
37 


Event ID 


4769 


Description 


The successful issuance of a TGT shows that a user account was authenticated by the 


domain controller. The Network Information section of the event description contains 


additional information about the remote host in the event of a remote logon attempt. 


The Keywords field indicates whether the authentication attempt was successful or 


failed. In the event of a failed authentication attempt, the result code in the event 


description provides additional information about the reason for the failure, as 


specified in RFC 4120. Some of the more commonly encountered codes are: 


Common Event ID 4768 result codes 


Hex Meaning 
0x6 Username not valid. 
Policy restriction prohibiting this logon (such as a workstation restriction or time- 
i of-day restriction). 
0x12 The account is locked out, disabled, or expired. 
0x17 The account’s password is expired. 
0x18 The password is incorrect. 
0x20 The ticket has expired (common on computer accounts). 
0x25 The clock skew is too great. 
Description 


A service ticket was requested by a user account for a specified resource. This event 


description shows the source IP of the system that made the request, the user account 


used, and the service to be accessed. These events provide a useful source of evidence as 


they track authenticated user access across the network. 


A service ticket was renewed. The account name, service name, client IP address, and 


4770 

encryption type are recorded. 

Depending on the reason for a failed Kerberos logon, either Event ID 4768 or Event ID 
4771 4771 is created. In either case, the result code in the event description provides additional 

information about the reason for the failure. 

This event ID is recorded for NTLM authentication attempts. The Network Information 
voor section of the event description contains additional information about the remote host in 


the event of a remote logon attempt. The Keywords field indicates whether the 


authentication attempt succeeded or failed. 


Common Event ID 4776 error code descriptions 


Error Code Meaning 
0xC0000064 The username is incorrect. 
0xC000006A The password is incorrect. 


Generic logon failure. Possibly bad username or password or mismatch in the LAN 
0xC000006D 
Manager Authentication Level between the source and target computers. 


OxCOOO006F Account logon outside authorized hours. 

0xC0000070 Account logon from unauthorized workstation. 

0xC0000071 Account logon with expired password. 

0xC0000072 Account logon to account disabled by administrator. 
0xC0000193 Account logon with expired account. 

0xC0000224 Account logon with Change Password At Next Logon flagged. 
0xC0000234 Account logon with account locked. 


0xc0000371 The local account store does not contain secret material for the specified account. 


On systems being accessed, Event IDs of note include: 


Event ID Description 


A logon to a system has occurred. Type 2 indicates an interactive (usually local) logon, 
Poy whereas a Type 3 indicates a remote or network logon. The event description will 
contain information about the host and account name involved. For remote logons, 


focus on the Network Information section of the event description for remote host 


10 


11 


information. 


Logon event type code descriptions 


Description 


Interactive, such as logon at keyboard and screen of the system, or remotely using third- 
party remote access tools like VNC, or psexec with the -u switch. Logons of this type will 
cache the user’s credentials in RAM for the duration of the session and may cache the 


user’s credentials on disk. 


Network, such as access to a shared folder on this computer from elsewhere on the 
network. This represents a noninteractive logon, which does not cache the user’s 


credentials in RAM or on disk. 


Batch (indicating a scheduled task). Batch logon type is used by batch servers, where 


processes may be executing on behalf of a user without their direct intervention. 
Service indicates that a service was started by the Service Control Manager. 


Unlock indicates that an unattended workstation with a password protected screen is 


unlocked 


NetworkCleartext indicates that a user logged on to this computer from the network and 
the user’s password was passed to the authentication package in its unhashed form. The 
built-in authentication packages all hash credentials before sending them across the 
network. The credentials do not traverse the network in plaintext (also called cleartext). 
Most often indicates a logon to Internet Information Services (IIS) with basic 


authentication. 


NewCredentials indicates that a user logged on with alternate credentials to perform 
actions such as with RunAs or mapping a network drive. If you want to track users 


attempting to log on with alternate credentials, also look for Event ID 4648. 


RemotelInteractive indicates that Terminal Services, Remote Desktop, or Remote 
Assistance for an interactive logon. See the note on RDP at the end of this section for more 
details. 

CachedInteractive (logon with cached domain credentials such as when logging on to a 
laptop when away from the network). The domain controller was not contacted to verify 


the credential, so no account logon entry is generated. 


Event 


Description 
ID 
A failed logon attempt. Large numbers of these throughout a network may be indicative of 
password guessing or password spraying attacks. Again, the Network Information section of 
ten the event description can provide valuable information about a remote host attempting to log 


on to the system. Note that failed logons over RDP may log as Type 3 rather than Type 10, 
depending on the systems involved. You can determine more about the reason for the 


failure by consulting the Failure Information section of the event description. 


The status code found in Event ID 4625 provides additional details about the event: 


Common logon failure status codes 


Status code Description 

OXC000005E Currently no logon servers are available to service the logon request. 
0xC0000064 User logon with misspelled or bad user account. 

OxCO00006A_ User logon with misspelled or bad password. 

OXCO000006D This is either due to a bad username or incorrect authentication information. 
OXCOO0006E Unknown username or bad password. 

OxCOOO006F User logon outside authorized hours. 

0xC0000070 User logon from unauthorized workstation. 

0xC0000071 User logon with expired password. 

0xC0000072 User logon to account disabled by administrator. 

OXCOOO000DC Indicates the Server was in the wrong state to perform the desired operation. 
0XC0000133 Clocks between domain controller and other computer too far out of sync. 


The user has not been granted the requested logon type (also known as logon right) 
OXC000015B 2 i ia yet 
at this machine. 


The logon request failed because the trust relationship between the primary domain 
OXC000018C 
and the trusted domain failed. 


0XC0000192 An attempt was made to log on, but the Netlogon service was not started. 


0xC0000193 User logon with expired account. 


O0XC0000224 User is required to change password at next logon. 
OXC0000225 Evidently a bug in Windows and not a risk. 
0xC0000234 User logon with account locked. 

OXCOO0002EE Failure Reason: An error occurred during logon. 


Logon Failure: The machine you are logging on to is protected by an authentication 
0XC0000413 
firewall. The specified account is not allowed to authenticate to the machine. 


Event ID Description 


User logoff is recorded by Event ID 4634 or Event ID 4647. The lack of an event 
showing a logoff should not be considered overly suspicious, as Windows is 
4634/4647 inconsistent in logging Event ID 4634 in many cases. The Logon ID field can be used to 
tie the Event ID 4624 logon event with the associated logoff event (the Logon ID is 


unique between reboots on the same computer). 


A logon was attempted using explicit credentials. When a user attempts to use 
hee credentials other than the ones used for the current logon session (including bypassing 
User Account Control [UAC] to open a process with administrator permissions), this 


event is logged. 


This event ID is recorded when certain privileges associated with elevated or 
4672 administrator access are granted to a logon. As with all logon events, the event log will 


be generated by the system being accessed. 


ror This event is logged when a session is reconnected to a Windows station. This can occur 
77 
locally when the user context is switched via fast user switching. 


This event is logged when a session is disconnected. This can occur locally when the 
Fern user context is switched via fast user switching. It can also occur when a session is 
reconnected over RDP. A full logoff from an RDP session is logged with Event ID 4637 


or 4647 as mentioned earlier. 


Access to Shared Objects 


Attackers frequently leverage valid credentials to remotely access data through user created or 
administrative shares. Doing so will generate Account Logon and Logon events as mentioned 
above, but additional logging can also be enabled in the Group Policy Management Console by 


navigating to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> 


Advanced Audit Policy Configuration -> Audit Policies -> Object Access -> Audit File Share. 


Once enabled, the following Event IDs will be logged in the Security Log: 


Network share event IDs 


Event ID Description 


5140 


5142 
5143 
5144 


5145 


A network share object was accessed. The event entry provides the account name and 
source address of the account that accessed the object. Note that this entry will show that 
the share was accessed but not what files in the share were accessed. A large number of 
these events from a single account may be an indicator of an account being used to 


harvest or map data on the network. 
A network share object was added. 

A network share object was modified. 
A network share object was deleted. 


A network share object was checked to see whether client can be granted desired access. 
Failure is only logged if the permission is denied at the file share level. If permission is 


denied at the NTFS level then no entry is recorded. 


If detailed file share auditing is enabled in the Group Policy Management Console by navigating to 


Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit 


Policy Configuration -> Audit Policies -> Object Access -> Audit Detailed File Share, then each 


file within each share that is accessed will generate an Event ID 5145 log entry. As you can 


imagine, this level of logging may generate a large volume of results. 


The system initiating the access may also show evidence of the connections in the registry key 


NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2. 


Scheduled Task Logging 


If history is enabled in the Task Scheduler application, through Event Viewer, or with the wevtutil 


command, then the 


%SystemRootZW\S ystem32\winevt\Logs\Microsoft-Windows- TaskScheduler%4Operational 


log will record activity relating to scheduled tasks on the local system as follows: 


Scheduled task activity event IDs 


Event ID Description 


106 


140 


141 


200 


201 


Scheduled Task Created. The entry shows the user account that scheduled the task and 
the name the user assigned to the task. The Logged date and time show when the task 
was scheduled. Look for the associated Event ID 200 and 201 for additional 
information. 

Scheduled Task Updated. The entry shows the user account that updated the task and 
the name of the task. The Logged date and time show when the task was updated. Look 
for the associated Event ID 200 and 201 for additional information. 

Scheduled Task Deleted. The entry shows the user account that deleted the task and the 
name of the task. 

Scheduled Task Executed. Shows the task name and the full path to the executable on 
disk that was run (listed as the Action). Correlate this with the associated Event ID 106 
to determine the user account that scheduled the task. 

Scheduled Task Completed. Shows the task name and the full path to the executable on 
disk that was run (listed as the Action). Correlate this with the associated Event ID 106 


to determine the user account that scheduled the task. 


Also, see the Object Access Auditing section for additional Event IDs that may be recorded in 


relation to scheduled tasks. 


Object Access Auditing 


Object access auditing is not enabled by default but should be enabled on sensitive systems. To do 


so, simply set use the Local Security Policy to set Security Settings -> Local Policies -> Audit 


Policy -> Audit object access to Enabled for Success and Failure. 


Object access audit events are stored in the Security log. If object access auditing is enabled, 


scheduled tasks get additional logging. The Event IDs related to scheduled tasks are: 


Scheduled task event IDs 


Event 


ID 


4698 


4699 


4700 
4701 


4702 


Description 


A scheduled task was created. The event description contains the user account that created 
the task in the Subject section. XML details of the scheduled task are also recorded in the 
event description under the Task Description section and includes the Task Name. 

A scheduled task was deleted. The Subject section of the event description contains the 


Account Name that deleted the task as well as the Task Name. 

A scheduled task was enabled. See Event ID 4698 for additional details. 

A scheduled task was disabled. See Event ID 4698 for additional details. 

A scheduled task was updated. The user who initiated the update appears in the Subject 
section of the event description. The details of the task after its modification are listed in the 


XML in the event description. Compare with previous Event ID 4702 or 4698 entries for 


this task to determine what changes were made. See Event ID 4698 for additional details. 


Aside from scheduled tasks, individual file objects are frequently audited for object access. In 


addition to enabling the option for Success and/or Failure for Audit Object Access as mentioned 


earlier, to audit access to individual files or folders you also need to explicitly set the auditing rules 


in the file or folder’s Properties. dialog box by selecting the Security tab, clicking Advanced, 


selecting the Auditing tab, and setting the type of audit and the user account(s) for which auditing 


should be set. Detailed instructions can be found here: 


https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/apply-a-basic-audit- 


policy-on-a-file-or-folder 


For a process to use a system object, such as a file, it must obtain a handle to that object. Once 


auditing is enabled, the event IDs described below can be used to view access to important files and 


folders by tracking the issuance and use of handles to those objects. 


Object handle event IDs 


Event ID Description 


4656 


A handle to an object was requested. When a process attempts to gain a handle to an 


audited object, this event is created. The details of the object to which the handle was 


requested and the handle ID assigned to the handle are listed in the Object section of the 


event description. 


We A registry value was modified. The user account and process responsible for opening the 
7 
handle are listed in the event description. . 


The handle to an object was closed. The user account and process responsible for 
4658 opening the handle are listed in the event description. To determine the object itself, refer 


to the preceding Event ID 4656 with the same Handle ID. 


An object was deleted. The user account and process responsible for opening the handle 
4660 are listed in the event description. To determine the object itself, refer to the preceding 


Event ID 4656 with the same Handle ID. 


An attempt was made to access an object. This event is logged when a process attempts 
hes to interact with an object, rather than just obtain a handle to the object. This can be used 
to help determine what types of actions may have been taken on an object (for example, 


read only or modify data). See Event ID 4656 for additional details. 


Since Windows 8/Server 2012, additional logging can also be enabled in the Group Policy 
Management Console by navigating to Computer Configuration -> Policies -> Windows Settings -> 
Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Object Access -> 
Audit Removeable Storage. Once enabled, Windows will create additional Event ID 4663 entries 
(see above) whenever an account access a file system object that is on removable storage. This can 


help identify when users are copying data to or from external media. 


Audit Policy Changes 


When audit policy changes, it impacts the evidence available to investigators and incident handlers, 
whether the change was done maliciously by an attacker or legitimately by an administrator. 
Fortunately, modern Windows systems do a good job of logging these changes when they occur. 
The Event ID used for this auditing is 4719: 

e 4719 — System audit policy was changed. The Audit Policy Change section will list the 
specific changes that were made to the audit policy. The Subject section of the event 
description may show the account that made the change, but often (such as when the change 
is made through Group Policy) this section simply reports the name of the local system. 

e 1102 — Regardless of the settings in the audit policy, if the Security event log is cleared, 
Event ID 1102 will be recorded as the first entry in the new, blank log. You can tell the 


name of the user account that cleared the log in the details of the entry. A similar event, 


with ID 104, is generated in the System log if it is cleared. 


Auditing Windows Services 


Many attacks rely on Windows services either for executing commands remotely or for maintaining 
persistence on systems. While most of the events we have mentioned so far have been found in the 
Security Event Log, Windows records events related to starting and stopping of services in the 


System Event Log. The following events are often noteworthy: 


e 6005 — The event log service was started. This will occur at system boot time, and whenever 
the system is manually started. Since the event log service is critical for security, it gets is 
own Event ID. 

e 6006 — The event log service was stopped. While this obviously occurs at system shutdown 
or restart, its occurrence at other times may be indicative of malicious attempts to avoid 
logging of the activity or to modify the logs. 

e 7034 — A service terminated unexpectedly. The event description will display the name of 
the services and may display the number of times that this service has crashed. 

e 7036 — A service was stopped or started. While the event log service has its own Event ID, 
other services are logged under the same Event ID. 

e 7040- The start type for a service was changed. The event description will display the name 
of the service that was changed and describe the change that was made. 

e 7045 — A service was installed by the system. The name of the service is found in the 
Service Name field of the event description, and the full path to the associated executable is 
found in the Service File Name field. This can be a particularly important event as many 


tools, such as psexec, create a service on the remote system to execute commands. 


If you have enabled Advanced Audit Policy Configuration > System Audit Policies > System > 
Audit Security System Extension in your GPOs, Windows 10 and Server 2016/2019 systems will 
also record Event ID 4697 in the Security event log. 


Wireless LAN Auditing 


Windows maintains an event log dedicated to wireless local area network (WLAN) activity, and 
with rogue access points being a common attack vector for man-in-the-middle and malware attacks, 


it may be worth looking at unusual connections on devices with Wi-Fi capability, particularly those 


allowed to leave your environment. The log is located at 
% SystemRoot %\System32\winevt\Logs\Microsoft-Windows-WLAN-AutoConfig % 4 
Operational.evtx. 


Event IDs of interest are: 


Wi-Fi connection event IDs 


Event 


Description 
ID 


WLAN service has successfully connected to a wireless network. The event description 
provides the Connection Mode indicating if this was an automatic connection based on a 
8001 configured profile (and the associated Profile Name) or a manual connection. The SSID of 
the access point, its authentication mechanism, and its encryption mechanism are also 


recorded. 


WLAN service failed to connect to a wireless network. Once again, the event description 
8002 will contain the Connection Mode, associated Profile Name, and the SSID along with a 


Failure Reason field. 


Process Tracking 


Unlike many Linux shells (such as bash) the Windows cmd.exe shell does not maintain a history of 
commands run by users. This has created a noticeable gap in the ability of incident handlers to 
understand the actions that an attacker takes on a compromised host. The rise of “Living of the 
Land” attacks that do not rely on malware but instead use built-in Windows commands has only 
made this blind spot more damaging. While in the early days of Windows, auditing process creation 
was considered far too system 

While not always required on every system, enabling this feature on key systems is increasingly 
becoming standard practice in security-conscious environments. This requires setting two separate 
Group Policy settings. The first is of course Computer Configuration -> Windows Settings -> 
Security Settings -> Local Policies -> Audit Policy -> Audit process tracking. Once enabled, Event 
ID 4688 in the Security log provides a wealth of information regarding processes that have been 
run on the system: 
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component- 


updates/command-line-process-auditing 


Event 


Description 
ID 


A new process has been created. The event description provides the Process ID and Process 
4688 Name, Creator Process ID, Creator Process Name, and Process Command Line (if enabled 


separately, as outlined earlier in this section). 


In addition the Event ID 4688, activation of process tracking may also result in additional Security 
log entries from the Windows Filtering Platform related to network connections and listening ports 
as follows: 

https://learn.microsoft.com/en-us/windows/win32/fwp/about-windows-filtering- 


platform ?redirectedfrom=MSDN 


Windows Filtering Platform (WFP) event IDs 


Event 
Description 
ID 
Hai The Windows Firewall Service blocked an application from accepting incoming 


connections on the network. 
5152 The WFP blocked a packet. 


a The WFP has permitted an application or service to listen on a port for incoming 
connections. 


5156 The WFP has allowed a connection. 

5157 The WFP has blocked a connection. 

5158 The WFP has permitted a bind to a local port. 
5159 The WFP has blocked a bind to a local port. 


The event descriptions of the Windows Filtering Platform events are self explanatory and detailed, 
including information about the local and remote IPs and port numbers as well as the Process ID 
and Process Name involved. 

As can be seen, the information logged by enabling process tracking auditing can be of immense 
value, but can also generate a large amount of data. Experiment with your test environment to come 


up with a balance that can appropriately increase security auditing in your production environment. 


Additional Program Execution Logging 


If AppLocker is configured in your environment (a step that can help frustrate an adversary and 
should be considered), dedicated AppLocker event logs will be generated as well. Presented in 
Event Viewer under Application and Services Logs\Microsoft\Windows\AppLocker, these event 
logs are stored with the other event logs in C:\Windows\System32\winevt\Logs and have names 
such as Microsoft-Windows- AppLocker%4EXE and DLL.evtx. There are separate logs covering 
executables and dynamic-link libraries (DLLs), Microsoft installers (MSI) and scripts, packaged 
app deployment, and packaged app execution. The event logs generated will vary depending on 
whether AppLocker is set to audit-only mode or blocking mode. Details of the specific event IDs 
that may apply to your situation can be found at here. 
https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender- 


application-control/applocker/using-event-viewer-with-applocker 
Windows Defender suspicious event IDs 


Event 


Description 
ID 


1006 The antimalware engine found malware or other potentially unwanted software. 


The antimalware platform performed an action to protect your system from malware or 


1007 

other potentially unwanted software. 

The antimalware platform attempted to perform an action to protect your system from 
vee malware or other potentially unwanted software, but the action failed. 
iia The antimalware platform deleted history of malware and other potentially unwanted 


software. 
1015 The antimalware platform detected suspicious behavior. 
1116 The antimalware platform detected malware or other potentially unwanted software. 


The antimalware platform performed an action to protect your system from malware or 


a other potentially unwanted software. 

The antimalware platform attempted to perform an action to protect your system from 
moeg malware or other potentially unwanted software, but the action failed. 
an The antimalware platform encountered a critical error when trying to take action on 


malware or other potentially unwanted software. 


5001 Real-time protection is disabled. 

5004 The real-time protection configuration changed. 

5007 The antimalware platform configuration changed. 

5010 Scanning for malware and other potentially unwanted software is disabled. 


5012 Scanning for viruses is disabled. 


Additional details on Windows Defender event log records can be found here. 
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot- 


microsoft-defender-antivirus?view=0365-worldwide 


Windows exploit protection is a feature of Windows 10 that can provide excellent defense against a 
range of adversary exploitation techniques. This feature can protect both the operating system and 
individual applications from common attack vectors, blocking the exploitation when it otherwise 
would have resulted in system compromise. Although some features of exploit protection are 
enabled by default, many are disabled due to their potential to interfere with legitimate software. 
When enabled, this feature logs its activities in the 
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security- Mitigations % 
4KernelMode.evtx and Microsoft-Windows-Security-Mitigations % 4UserMode.evtx 

log files. 


https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/exploit- 


protection? view=0365-worldwide 


Another option to enhance visibility into processes that run on systems in your environment is to 
implement Sysmon, a free utility by Sysinternals, which is now a part of Microsoft. Sysmon can be 
freely downloaded here. 

https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon 
When deployed on a system, Sysmon installs as a system service and device driver to generate 
event logs related to processes, network connections, and modifications to file creation times. It 
creates a new category of logs that are presented in Event Viewer under Applications and Services 
Logs\Microsoft\Windows\Sysmon\Operational and is stored in 
C:\Windows\S ystem32\winevt\Logs\Microsoft-W indows-Sysmon%4Operational.evtx. 


An example of useful event IDs generated by Sysmon include: 


Event IDs generated by Sysmon 


Event 
Description 
ID 
Process creation (includes many details such as process ID, path to executable, hash of 
1 executable, command line used to launch, user account used to launch, parent process ID, 
path and command line for parent executable, and more). 
2 A process changed a file creation time. 
3 Network connection. 
4 Sysmon service state changed. 
5 Process terminated. 
6 Driver loaded. 
7 Image loaded (records when a module is loaded in a specific process). 
8 CreateRemoteThread (creating a thread in another process). 
9 RawAccessRead (raw access to drive data using \\.\ notation). 
10 ProcessAccess (opening access to another process’s memory space). 
11 FileCreate (creating or overwriting a file). 


12 Registry key or value created or deleted. 


13 Registry value modification. 

14 Registry key or value renamed. 

15 FileCreateStreamHash (creation of an alternate data stream). 
16 Sysmon configuration change. 


17 Named pipe created. 

18 Named pipe connected. 

19 WMlEventFilter activity detected. 

20 WMlEventConsumer activity detected. 

21 WMlEventConsumerToFilter activity detected. 
22 DNS query event (Windows 8 and later) 


255  Sysmon error 


Auditing PowerShell Use 


Microsoft continues to increase the amount of logs available surrounding PowerShell to help 
combat its nefarious use. Once again, these logging facilities must be enabled via Group Policy, 
specifically at Computer Configuration -> Policies -> Administrative Templates -> Windows 
Components -> Windows PowerShell. There are three basic categories of logging that may be 


available, depending on the version of Windows in question. 


e Module Logging 
Logs pipeline execution events; 


Logs to event logs. 


e Script Block Logging 
Captures de-obfuscated commands sent to PowerShell; 
Captures the commands only, not the resulting output; 


Logs to event logs. 


e Transcription 
Captures PowerShell input and output; 
Will not capture output of outside programs that are run, only PowerShell; 


Logs to text files in user specified location. 


Once enabled, these logs can provide a wealth of information concerning the use of PowerShell on 
your systems. If you routinely run lots of PowerShell scripts, this can produce a large volume of 
data, so be sure to test and tune the audit facilities to strike a balance between visibility and load 


before deploying such changes in production. 


PowerShell event log entries appear in different event logs. Inside of 
% SystemRoot % \System32\winevt\ Logs\Microsoft-Windows-PowerShell % 4Operational.evtx 


you will find two events of particular note: 


Event 


Description 
ID 


4103 Shows pipeline execution from the module logging facility. Includes the user context used 


to run the commands. Hostname field will contain Console if executed locally or will show 


if run from a remote system. 


Shows script block logging entries. Captures the commands sent to PowerShell, but not the 
4104 output. Logs full details of each block only on first use to conserve space. Will show as a 


Warning level event if Microsoft deems the activity Suspicious. 


Additional entries can be found in the %SystemRoot%\System32\winevt\Logs\Windows 
PowerShell.evtx log: 


Event ID Description 


i Indicates the start of command execution or session. Hostname field shows if (local) 
Console or the remote session that caused the execution. 


Shows pipeline execution details. UserID shows account used. Hostname field shows if 
T (local) Console or the remote session that caused the execution. Since many malicious scripts 
encode options with Base64, check the HostApplication field for options encoded with the - 


enc or -EncodedCommand parameter. 


Remember that PowerShell Remoting requires authenticated access, so look for the associated 


Account Logon and Logon events as well. 


Incident Response Tools to Quickly Detect Cyberattacks 


Incident response is a methodology which organization uses to detect, analyse, manage and respond 
a cyberattack. It helps to reduce the damage and do the fast recovery as quickly as possible. There 
are several incident response tools often used by the organization to detect and mitigate the 
cyberattack. here we have list some of the most important cyber incident response tools that widely 
used with most sophisticated features. As you know investigation is always required to safeguard 
your future you must learn the attack and be prepared for it. Security Incident Response Tool has to 
be available for every organisation to identify and addressed the exploits, malware, cyberattacks, 
and other external security threats. These Incident Response Tools usually work with other 
traditional security solutions like firewalls and antivirus, to analyse the attacks before it happens. 


For doing this appropriately, these tools gather the information from the logs, identity system, 


endpoints, etc. it also notices the suspicious actives in the system. If we use these Incident 
Response Tools it becomes easy for us to quickly monitor, resolve, and identify security issues. It 
streamlines the process and eliminates the repeated task manually. Maximum modern tools have 
multiple capacities where they can block, and detect the threat and they can even alert the security 
teams to investigate further issues. Security terms are different for the different areas, and it 
completely depends on the organization’s needs. In this case, pleases select the best tool is always 


challenging, and it also has to give you the right solution. 


Security Incident Response Tools 


e ManageEngine 
e IBM QRadar 

e SolarWinds 

e Sumo Logic 


e AlientVault 


e LogRhythm 

e Rapid7 InsightIDR 
e Splunk 

e Varonis 


e Dynatrace 


ManageEngine 
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This is one of the best Incident Response Tools which focuses and analyzes the various logs and 
takes care of the security. It also identifies the log server and reports the unusual thing to the 


records. It catches very easily unauthorized access in the IT system of the organization very easy. 


There are a few target areas like web servers, databases, DHCP servers, email service, etc. they 
provide essential service. This application works on Linux systems, and Windows and this has data 
protection standards like HIPPA, DSS, PCI, ISO 27001, etc. 


https://www.manageengine.com/ 


IBM QRadar Extensive Data Sources 
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It is one of the widely used Incident Response tools that understand the threats and prioritized all 
responses. Any data first correlates against the threat then it shows its intelligence and 
vulnerability. It also tracks the threat, and they do penetrate and propagate the threat through the 
system. This application creates an intelligent insight that helps to detect the security issue. It 
allows finding the root cause, which helps to eliminate the threats and stop spreading quickly. This 
is the complete solution that can diversify the features including risk and security to stimulate the 
potential attackers. This is best for medium and large-scale businesses, and it can deploy all the 
hardware, software, cloud, SaaS environment. It quickly analyzes the threat of bulk data. 


https://www.ibm.com/in-en/products/qradar-siem 


SolarWinds 


This is an another very good Incident response tools in log management and reporting. It gives a 
real-time incident response. SolarWinds analyze and identify the threats quickly and allow teams to 


monitor and address the threat. This tool is very simple for visualization which allows the user to 


identify suspicious activity. It also has a dashboard that gives the details of every threat which helps 
the developers to detect the problem. This SolarWinds has an option for automates threat response; 
through this, you can monitor USB drives. It also allows you to do log filtering and has node 
management options. This is best for all types of business and works with Linux and Windows. 


https://www.solarwinds.com/ 


Sumo Logic 


This is a cloud-based intelligent security platform, that does the best analysis and works with SIEM 
solutions. This is a multi-cloud platform that also provides a hybrid environment. This platform 
gives you a machine learning experience to enhance threat detection. It also investigates and solves 
the security issue in real-time. It is completely based on a unified data model, which allows the 
security teams to consolidate the security analytics. For using this, it does not need any costly 
hardware and upgraded software. It provides real-time security visibility to the organization so that 
it can quickly identify isolated threats. This configures the security system and monitors the 
infrastructure, applications, etc. 


https://www.sumologic.com/ 


AlienVault 
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AlienVault is one of the very comprehensive Incident Response Tools for threat detection. 
AlientVault is also best for compliance management so that it can provide the best security 
monitoring. It can do all types of remediation for the cloud environment. It also includes multiple 


security capabilities like detection, asset discovery, vulnerability assessment, inventory, event 


correlation, compliance checks, email alerts, etc. AlientVault is affordable in cost which is very 
easy to implement and it uses the USM tool which relies on lightweight sensors. This works like an 
endpoint agent which can detect the threat in real-time. It has a flexible plan for any organization to 
see the threat. A single web portal is enough to monitor everything. 

https://otx.alienvault.com/ 
LogRhythm 


This accommodates all types of superior features which does the log correlation with artificial 
intelligence. It even works for behavioral analysis by using artificial intelligence and analyze the 
traffic. LogRhythm works with platforms like Windows and Linux systems. Its data storage is very 
flexible, and it is also suitable for fragmented workflow. It also provides the extra addition for 
threat detection, though the data is not structured. This does not have properly structured data, no 
good visibility or automation, etc. This is best for small and big businesses and it works with 
windows and other network sites. This is compatible with different logs and devices. 


https://logrhythm.com/ 


Rapid7 InsightIDR 
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This is a very powerful security solution that works for the best as endpoint visibility, 
authentication monitoring, and many other things. This SIEM tool does the data collection, search, 
analysis features, phishing, malware, etc. It detects quickly any suspicious activities for both 


internal and external users. This has advanced deception technology which detects the user’s 


behavioral analytics. It also has other discovery features like file integrity monitoring, log 
management, and much more. This is a suitable tool for any scan where they do real-time detection 
of all types of security threats for small, large, and medium-sized businesses. It provides the proper 
search at the end and helps to make a quick and smart decision. 


https://www.rapid7.com/products/insightidr/ 
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This is mainly used for machine learning and AI technology which are actionable, predictive, and 
effective. It also enhanced the security features and customized the statical analysis, investigation, 
incident review, classification, dashboard, etc. For doing the SaaS deployment, it is suitable for all 
types of businesses, including small and large. Due to its scalability, it includes other assistance like 
healthcare, financial service, and the public sector. Splunk can quickly establish the risk score, 
good in alert management, and provides a fast and effective response. 


https://www.splunk.com/ 
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This is a very handy tool that mainly uses for infrastructure, data access, usage, users, etc. Varonis 
provides also provides alerts, actionable reports, customization, flexibility, and other suspicious 
activity. It also gives the comprehensive dashboard where user can analyze the security terms 
which add the visibility in their data and system. It is a very good tool for an email system where 
unstructured data is available and it gives the best response for resolving the issues. It can 


immediately block the user who attempts access without permission or used an unauthorized IP 


address for login to the organization network. This varonis is an incident response tool that 
provides enhanced insight and alerts before any attack. It provides LogRhythm and enhances threat 
detection; it never fails from the responsibility and responds correctly. It streamlines the operation, 


which very quickly investigates the threats for the users. 


https://www.varonis.com/ 


Dynatrace 


This is one of the best Inciden tesponse tools which can simplify cloud complexity. It also does 
accelerate digital transformation and gives the automatic observability scale. If we talk about 
Dynatrace, it has a huge underlying infrastructure where users can make faster innovation. It can 
collaborate everything very efficiently with less effort. Many large enterprises trust this software 
tool that is not only modernized and also automates cloud operation. It also delivers an unrivaled 


digital experience. 


Difference between Authentications vs. Authorization 


Authentication 

Simple English Meaning: The process or action of verifying the identity of a user or 
process. Authentication is the process of proving one’s identity before trying to gain access to a 
resource. We see Authentication everywhere in our day to day lives such as: 

1. Passports 

2. ID Cards 

3. Aadhaar Cards etc. 
In Tech World, we see Authentication in the following scenarios: 

1. Website LogIns 

2. Mobile Phone LogIns 

3. Computer LogIns etc. 


Generally, Authenticating yourself is just proving to the system that you are the one you are 
claiming to be. It normally takes place in the following way: A user tries to Log In to the system 
and is asked to present his username and password. When both of these things are entered and are 


validated as true by the system, the user is authenticated and is allowed to Log In. 


Types of Authentication 

1. Single-Factor Authentication: It is the simplest form of Authentication and requires just a 
username and password. Once these two are validated, a user is allowed to log in. Example: 
Simple website login 

2. Two-Factor Authentication: This form of Authentication requires an additional piece of 
information that only the user knows, along with the username and password. Example: 
Logging In a website with the username and password, along with an OTP (One-Time 
Password) which is sent to the user’s email id or phone. 

3. Multi-Factor Authentication: This is the most advanced method of Authentication which 
requires two or more levels of security from independent categories of authentication to 
grant a user access to the system. This form of authentication utilizes factors that are 


independent of each other in order to eliminate any data exposure. 


Authorization 
Simple English Meaning: Official permission for something to happen, or the act of giving 
someone official permission for something. The authorization is the process of providing or 
granting permissions to a user to access a protected resource. 
Some examples of Authorization are: 
1. Granting individual access to a specific location in a building 


2. Allowing a user to access specific parts of a website etc. 


Authentication and Authorization working Together in Real World 


Let us take a real-world example where we see both Authentication and Authorization concepts 
working together. 
In offices, when a new employee joins, he is given two things- 

1. ID card (Authentication) 

2. Access Card (Authorization) 


The use of the ID card is to prove the employee’s identity. It contains the name, employee ID and 
some other details of the employee. The use of the Access Card is to grant special permissions to an 
employee to access specific parts of the office. For example, some employees might not have 
permission to access the server room and some employees might have. The Access Card helps in 


establishing the relationship between a user and the scope of access he has. 


https://cybersecuritynews.com/windows-event-log- 
analysis/?fbclid=IwAR2sJSTVJMZQUwzOFOAcrBOSS_xp7a8i5IWpMS5DR21KydGZ4ctamCz49 
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